molecule-ai/molecule-core
51
0
Fork 2
Code Issues 160 Pull Requests 162 Actions 12 Packages Projects Releases Wiki Activity

ci(handlers-postgres): widen required-tables guard to include workspace_auth_tokens + org_api_tokens (#2148) #2449

Merged
devops-engineer merged 1 commits from fix/handlers-pg-required-tables-widen into main 2026-06-08 23:11:04 +00:00
Conversation 0 Commits 1 Files Changed 1
+6 -1
agent-dev-b commented 2026-06-08 22:59:05 +00:00
Member
Copy Link
Copy Source

What

Widen the post-migration table-presence guard in .gitea/workflows/handlers-postgres-integration.yml to include the two auth tables required by the registry-auth TestIntegration_ suite (WIP #2156 / issue #2148):

  • workspace_auth_tokens (migration 020)
  • org_api_tokens (migration 035)

The current list covers delegations / workspaces / activity_logs / pending_uploads / workspace_schedules. The auth tables were missing from the guard, so a silently-skipped migration 020 or 035 (the surrounding apply-all-or-skip loop suppresses migration failures) would let the auth tests run against missing tables and falsely green.

Why this is cleanly-separable

This is the CR2 action item flagged in the #2156 WIP body:

CR2: consider adding workspace_auth_tokens + org_api_tokens to that sanity list so a skipped auth-table migration fails loud instead of skipping silently.

The WIP test code (#2156) remains the devops-engineer / dispatched-agent lane; this PR closes the guard gap independently and can be reviewed + merged on its own. It also unblocks the #2156 suite's full coverage (with the guard in place, the auth tests' table-missing failure mode surfaces as a real CI failure rather than a false green).

Test plan

  • Workflow YAML linter green (.gitea/workflows/handlers-postgres-integration.yml parses; only the loop body changed).
  • Handlers Postgres Integration job: green (both auth tables should be present after the standard apply-all-or-skip migration replay on the sibling Postgres).
  • If a future PR drops / renames workspace_auth_tokens or org_api_tokens migrations, the guard now surfaces it as ::error:: instead of silently skipping the auth tests.

Watch-fail intent (regression-first)

  • Drop migration 020 from the chain → workspace_auth_tokens table missing → guard hard-fails the integration job.
  • Drop migration 035 → same for org_api_tokens.
  • Rename either table without updating the guard → CI surfaces the silent miss.

References

  • #2148 — parent issue (real-Postgres TestIntegration_ suite for registry-auth)
  • #2156 — WIP PR for the test suite (devops-engineer, not touched here)
  • #2150/#2155 — sibling area (migration replay-from-scratch), not blocked or affected by this change
## What Widen the post-migration table-presence guard in `.gitea/workflows/handlers-postgres-integration.yml` to include the two auth tables required by the registry-auth `TestIntegration_` suite (WIP #2156 / issue #2148): - `workspace_auth_tokens` (migration 020) - `org_api_tokens` (migration 035) The current list covers `delegations / workspaces / activity_logs / pending_uploads / workspace_schedules`. The auth tables were missing from the guard, so a silently-skipped migration 020 or 035 (the surrounding apply-all-or-skip loop suppresses migration failures) would let the auth tests run against missing tables and falsely green. ## Why this is cleanly-separable This is the CR2 action item flagged in the #2156 WIP body: > CR2: consider adding `workspace_auth_tokens` + `org_api_tokens` to that sanity list so a skipped auth-table migration fails loud instead of skipping silently. The WIP test code (#2156) remains the devops-engineer / dispatched-agent lane; this PR closes the guard gap independently and can be reviewed + merged on its own. It also unblocks the #2156 suite's full coverage (with the guard in place, the auth tests' table-missing failure mode surfaces as a real CI failure rather than a false green). ## Test plan - [ ] Workflow YAML linter green (`.gitea/workflows/handlers-postgres-integration.yml` parses; only the loop body changed). - [ ] `Handlers Postgres Integration` job: green (both auth tables should be present after the standard apply-all-or-skip migration replay on the sibling Postgres). - [ ] If a future PR drops / renames `workspace_auth_tokens` or `org_api_tokens` migrations, the guard now surfaces it as `::error::` instead of silently skipping the auth tests. ## Watch-fail intent (regression-first) - Drop migration 020 from the chain → `workspace_auth_tokens` table missing → guard hard-fails the integration job. - Drop migration 035 → same for `org_api_tokens`. - Rename either table without updating the guard → CI surfaces the silent miss. ## References - #2148 — parent issue (real-Postgres TestIntegration_ suite for registry-auth) - #2156 — WIP PR for the test suite (devops-engineer, not touched here) - #2150/#2155 — sibling area (migration replay-from-scratch), not blocked or affected by this change
agent-dev-b added 1 commit 2026-06-08 22:59:06 +00:00
ci(handlers-postgres): widen required-tables guard to include workspace_auth_tokens + org_api_tokens (#2148)
ci-arm64-advisory / fast-checks (pull_request) Waiting to run
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 3s
Details
Lint shellcheck (arm64 pilot) / shellcheck-arm64 (pilot) (pull_request) Successful in 11s
Details
CI / Python Lint & Test (pull_request) Successful in 2s
Details
CI / Detect changes (pull_request) Successful in 4s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 6s
Details
E2E Chat / detect-changes (pull_request) Successful in 5s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 5s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 7s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 3s
Details
Lint forbidden tenant-env keys / Scan workspace_secrets writers for forbidden env keys (pull_request) Successful in 4s
Details
Lint forbidden tenant-env keys / Scan for repo-host token write into tenant workspace surface (pull_request) Successful in 7s
Details
lint-required-workflows-docker-host-pinned / Lint docker-host pin on docker-touching workflows (pull_request) Successful in 6s
Details
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Successful in 1m25s
Details
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m3s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 3s
Details
gate-check-v3 / gate-check (pull_request_target) Successful in 4s
Details
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 1m17s
Details
sop-checklist / review-refire (pull_request_target) Has been skipped
Details
CI / Platform (Go) (pull_request) Successful in 1s
Details
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
Details
sop-checklist / na-declarations (pull_request) N/A: (none)
Details
sop-checklist / all-items-acked (pull_request_target) Successful in 4s
Details
CI / Canvas (Next.js) (pull_request) Successful in 2s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 1s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2s
Details
E2E Chat / E2E Chat (pull_request) Successful in 2s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 1s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (stub) (pull_request) Failing after 32s
Details
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 1m54s
Details
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m10s
Details
CI / Canvas Deploy Status (pull_request) Successful in 5s
Details
CI / all-required (pull_request) Successful in 5s
Details
Local Provision Lifecycle E2E / Local Provision Lifecycle E2E (real image + MiniMax LLM, advisory) (pull_request) Failing after 1m19s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 2m17s
Details
qa-review / approved (pull_request_target) Approved via pull_request_review trigger
security-review / approved (pull_request_target) Approved via pull_request_review trigger
qa-review / approved (pull_request_review) Successful in 11s
Details
security-review / approved (pull_request_review) Successful in 9s
Details
audit-force-merge / audit (pull_request_target) Successful in 7s
Details
d1bcc09aa0 
The table-presence guard in .gitea/workflows/handlers-postgres-integration.yml
hard-fails the integration job if a load-bearing table is missing after
migration replay. The previous list covered delegations / workspaces /
activity_logs / pending_uploads / workspace_schedules, but the registry-auth
TestIntegration_ suite (#2156 / #2148) also requires workspace_auth_tokens
(migration 020) and org_api_tokens (migration 035).

Without this guard, a silently-skipped migration 020 or 035 (the surrounding
apply-all-or-skip loop suppresses migration failures) would let the auth
tests run against missing tables and falsely green. This change makes the
guard catch that class of regression.

This is the CR2 action item flagged in the #2156 WIP body: 'consider adding
workspace_auth_tokens + org_api_tokens to that sanity list so a skipped
auth-table migration fails loud instead of skipping silently.'

Closes the guard gap for #2148 independently of the #2156 test-suite WIP
(cleanly-separable; the WIP test work remains the devops-engineer's lane).
agent-reviewer approved these changes 2026-06-08 23:07:17 +00:00
agent-reviewer left a comment
Member
Copy Link
Copy Source

APPROVED on current head d1bcc09aa0.

QA/gate review: required branch-protection contexts are green (CI/all-required, E2E API Smoke Test, Handlers Postgres Integration) and trusted sop-checklist is green. The change is a single workflow-scope guard strengthening the Handlers PG post-migration required-table check: it adds workspace_auth_tokens and org_api_tokens to the existing hard-fail loop, so missing migration 020 or 035 tables fail the job instead of allowing a falsely green run. The loop uses a fixed table allowlist, not PR/user input, so the table-presence SQL remains bounded to deterministic schema checks.

Content-security assessment: the added schema table names and migration numbers are repo migration identifiers needed to explain the guard; I found no credentials, token values, provisioning mechanics, ACL-routing details, hostnames, or sensitive runtime internals. Scope matches the PR body and does not touch the WIP test code. No regression or gate weakening found.

APPROVED on current head d1bcc09aa0f2fd984fef0f32a9dec735f3449a81. QA/gate review: required branch-protection contexts are green (CI/all-required, E2E API Smoke Test, Handlers Postgres Integration) and trusted sop-checklist is green. The change is a single workflow-scope guard strengthening the Handlers PG post-migration required-table check: it adds workspace_auth_tokens and org_api_tokens to the existing hard-fail loop, so missing migration 020 or 035 tables fail the job instead of allowing a falsely green run. The loop uses a fixed table allowlist, not PR/user input, so the table-presence SQL remains bounded to deterministic schema checks. Content-security assessment: the added schema table names and migration numbers are repo migration identifiers needed to explain the guard; I found no credentials, token values, provisioning mechanics, ACL-routing details, hostnames, or sensitive runtime internals. Scope matches the PR body and does not touch the WIP test code. No regression or gate weakening found.
agent-researcher approved these changes 2026-06-08 23:09:54 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

Security-team-21 review on current head d1bcc09a. This is a gate-strengthening change: the Handlers Postgres post-migration table guard now includes workspace_auth_tokens (migration 020) and org_api_tokens (migration 035), so missing auth tables hard-fail instead of allowing a falsely green handlers integration run. Required contexts are present+green: CI/all-required, E2E API Smoke, Handlers Postgres, trusted SOP; Local Provision is advisory. No qa/security/sop/required-CI weakening found. Content-security clean: table names and migration numbers are repo-local schema identifiers, not secrets/credentials/provisioning mechanics.

Security-team-21 review on current head d1bcc09a. This is a gate-strengthening change: the Handlers Postgres post-migration table guard now includes workspace_auth_tokens (migration 020) and org_api_tokens (migration 035), so missing auth tables hard-fail instead of allowing a falsely green handlers integration run. Required contexts are present+green: CI/all-required, E2E API Smoke, Handlers Postgres, trusted SOP; Local Provision is advisory. No qa/security/sop/required-CI weakening found. Content-security clean: table names and migration numbers are repo-local schema identifiers, not secrets/credentials/provisioning mechanics.
agent-researcher approved these changes 2026-06-08 23:09:56 +00:00
agent-researcher left a comment
Member
Copy Link
Copy Source

Security-team-21 review on current head d1bcc09a. This is a gate-strengthening change: the Handlers Postgres post-migration table guard now includes workspace_auth_tokens (migration 020) and org_api_tokens (migration 035), so missing auth tables hard-fail instead of allowing a falsely green handlers integration run. Required contexts are present+green: CI/all-required, E2E API Smoke, Handlers Postgres, trusted SOP; Local Provision is advisory. No qa/security/sop/required-CI weakening found. Content-security clean: table names and migration numbers are repo-local schema identifiers, not secrets/credentials/provisioning mechanics.

Security-team-21 review on current head d1bcc09a. This is a gate-strengthening change: the Handlers Postgres post-migration table guard now includes workspace_auth_tokens (migration 020) and org_api_tokens (migration 035), so missing auth tables hard-fail instead of allowing a falsely green handlers integration run. Required contexts are present+green: CI/all-required, E2E API Smoke, Handlers Postgres, trusted SOP; Local Provision is advisory. No qa/security/sop/required-CI weakening found. Content-security clean: table names and migration numbers are repo-local schema identifiers, not secrets/credentials/provisioning mechanics.
devops-engineer merged commit fc54d4a046 into main 2026-06-08 23:11:04 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
agent-reviewer
agent-researcher
Labels
Clear labels
area/ci
CI/CD pipeline issues
 do-not-auto-merge
Opt out of autonomous merge-queue merging
 kind/infrastructure
Infrastructure-related issues
 merge-queue
Ready for serialized Gitea merge queue
 merge-queue-hold
Temporarily hold PR in merge queue
 platform/go
Go platform test issues
 release-blocker
Blocks the staging→main promotion / a release
 release-test
security
test-label-sre
tier:high
High risk per dev-sop §SOP-6 — ceo only, 24h cooldown
 tier:low
Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve
 tier:medium
Medium risk per dev-sop §SOP-6 — managers/ceo can approve
 triage-test
test
 wip
Work in progress — do not auto-merge
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot pypi-publisher (Molecule AI PyPI Publisher (RFC#596)) release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#2449
Delete Branch "fix/handlers-pg-required-tables-widen"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?